mod.rs source code [crates/openssl/src/x509/mod.rs]

1	//! The standard defining the format of public key certificates.
2	//!
3	//! An `X509` certificate binds an identity to a public key, and is either
4	//! signed by a certificate authority (CA) or self-signed. An entity that gets
5	//! a hold of a certificate can both verify your identity (via a CA) and encrypt
6	//! data with the included public key. `X509` certificates are used in many
7	//! Internet protocols, including SSL/TLS, which is the basis for HTTPS,
8	//! the secure protocol for browsing the web.
9
10	use cfg_if::cfg_if;
11	use foreign_types::{ForeignType, ForeignTypeRef, Opaque};
12	use libc::{c_int, c_long, c_uint, c_void};
13	use std::cmp::{self, Ordering};
14	use std::convert::{TryFrom, TryInto};
15	use std::error::Error;
16	use std::ffi::{CStr, CString};
17	use std::fmt;
18	use std::marker::PhantomData;
19	use std::mem;
20	use std::net::IpAddr;
21	use std::path::Path;
22	use std::ptr;
23	use std::slice;
24	use std::str;
25
26	use crate::asn1::{
27	Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef,
28	Asn1OctetStringRef, Asn1StringRef, Asn1TimeRef, Asn1Type,
29	};
30	use crate::bio::MemBioSlice;
31	use crate::conf::ConfRef;
32	use crate::error::ErrorStack;
33	use crate::ex_data::Index;
34	use crate::hash::{DigestBytes, MessageDigest};
35	use crate::nid::Nid;
36	use crate::pkey::{HasPrivate, HasPublic, PKey, PKeyRef, Public};
37	use crate::ssl::SslRef;
38	use crate::stack::{Stack, StackRef, Stackable};
39	use crate::string::OpensslString;
40	use crate::util::{ForeignTypeExt, ForeignTypeRefExt};
41	use crate::{cvt, cvt_n, cvt_p, cvt_p_const};
42	use openssl_macros::corresponds;
43
44	#[cfg(any(ossl102, libressl261))]
45	pub mod verify;
46
47	pub mod extension;
48	pub mod store;
49
50	#[cfg(test)]
51	mod tests;
52
53	/// A type of X509 extension.
54	///
55	/// # Safety
56	/// The value of NID and Output must match those in OpenSSL so that
57	/// `Output::from_ptr_opt(_get_ext_d2i(, NID, ...))` is valid.
58	pub unsafe trait ExtensionType {
59	const NID: Nid;
60	type Output: ForeignType;
61	}
62
63	foreign_type_and_impl_send_sync! {
64	type CType = ffi::X509_STORE_CTX;
65	fn drop = ffi::X509_STORE_CTX_free;
66
67	/// An `X509` certificate store context.
68	pub struct X509StoreContext;
69
70	/// A reference to an [`X509StoreContext`].
71	pub struct X509StoreContextRef;
72	}
73
74	impl X509StoreContext {
75	/// Returns the index which can be used to obtain a reference to the `Ssl` associated with a
76	/// context.
77	#[corresponds(SSL_get_ex_data_X509_STORE_CTX_idx)]
78	pub fn ssl_idx() -> Result<Index<X509StoreContext, SslRef>, ErrorStack> {
79	unsafe { cvt_n(ffi::SSL_get_ex_data_X509_STORE_CTX_idx()).map(\|idx: i32\| Index::from_raw(idx)) }
80	}
81
82	/// Creates a new `X509StoreContext` instance.
83	#[corresponds(X509_STORE_CTX_new)]
84	pub fn new() -> Result<X509StoreContext, ErrorStack> {
85	unsafe {
86	ffi::init();
87	cvt_p(ffi::X509_STORE_CTX_new()).map(op:X509StoreContext)
88	}
89	}
90	}
91
92	impl X509StoreContextRef {
93	/// Returns application data pertaining to an `X509` store context.
94	#[corresponds(X509_STORE_CTX_get_ex_data)]
95	pub fn ex_data<T>(&self, index: Index<X509StoreContext, T>) -> Option<&T> {
96	unsafe {
97	let data = ffi::X509_STORE_CTX_get_ex_data(self.as_ptr(), index.as_raw());
98	if data.is_null() {
99	None
100	} else {
101	Some(&(data as const T))
102	}
103	}
104	}
105
106	/// Returns the error code of the context.
107	#[corresponds(X509_STORE_CTX_get_error)]
108	pub fn error(&self) -> X509VerifyResult {
109	unsafe { X509VerifyResult::from_raw(ffi::X509_STORE_CTX_get_error(self.as_ptr())) }
110	}
111
112	/// Initializes this context with the given certificate, certificates chain and certificate
113	/// store. After initializing the context, the `with_context` closure is called with the prepared
114	/// context. As long as the closure is running, the context stays initialized and can be used
115	/// to e.g. verify a certificate. The context will be cleaned up, after the closure finished.
116	///
117	/// `trust` - The certificate store with the trusted certificates.*
118	/// `cert` - The certificate that should be verified.*
119	/// `cert_chain` - The certificates chain.*
120	/// `with_context` - The closure that is called with the initialized context.*
121	///
122	/// This corresponds to [`X509_STORE_CTX_init`] before calling `with_context` and to
123	/// [`X509_STORE_CTX_cleanup`] after calling `with_context`.
124	///
125	/// [`X509_STORE_CTX_init`]: https://www.openssl.org/docs/manmaster/crypto/X509_STORE_CTX_init.html
126	/// [`X509_STORE_CTX_cleanup`]: https://www.openssl.org/docs/manmaster/crypto/X509_STORE_CTX_cleanup.html
127	pub fn init<F, T>(
128	&mut self,
129	trust: &store::X509StoreRef,
130	cert: &X509Ref,
131	cert_chain: &StackRef<X509>,
132	with_context: F,
133	) -> Result<T, ErrorStack>
134	where
135	F: FnOnce(&mut X509StoreContextRef) -> Result<T, ErrorStack>,
136	{
137	struct Cleanup<'a>(&'a mut X509StoreContextRef);
138
139	impl<'a> Drop for Cleanup<'a> {
140	fn drop(&mut self) {
141	unsafe {
142	ffi::X509_STORE_CTX_cleanup(self.0.as_ptr());
143	}
144	}
145	}
146
147	unsafe {
148	cvt(ffi::X509_STORE_CTX_init(
149	self.as_ptr(),
150	trust.as_ptr(),
151	cert.as_ptr(),
152	cert_chain.as_ptr(),
153	))?;
154
155	let cleanup = Cleanup(self);
156	with_context(cleanup.0)
157	}
158	}
159
160	/// Verifies the stored certificate.
161	///
162	/// Returns `true` if verification succeeds. The `error` method will return the specific
163	/// validation error if the certificate was not valid.
164	///
165	/// This will only work inside of a call to `init`.
166	#[corresponds(X509_verify_cert)]
167	pub fn verify_cert(&mut self) -> Result<bool, ErrorStack> {
168	unsafe { cvt_n(ffi::X509_verify_cert(self.as_ptr())).map(\|n\| n != `0`) }
169	}
170
171	/// Set the error code of the context.
172	#[corresponds(X509_STORE_CTX_set_error)]
173	pub fn set_error(&mut self, result: X509VerifyResult) {
174	unsafe {
175	ffi::X509_STORE_CTX_set_error(self.as_ptr(), result.as_raw());
176	}
177	}
178
179	/// Returns a reference to the certificate which caused the error or None if
180	/// no certificate is relevant to the error.
181	#[corresponds(X509_STORE_CTX_get_current_cert)]
182	pub fn current_cert(&self) -> Option<&X509Ref> {
183	unsafe {
184	let ptr = ffi::X509_STORE_CTX_get_current_cert(self.as_ptr());
185	X509Ref::from_const_ptr_opt(ptr)
186	}
187	}
188
189	/// Returns a non-negative integer representing the depth in the certificate
190	/// chain where the error occurred. If it is zero it occurred in the end
191	/// entity certificate, one if it is the certificate which signed the end
192	/// entity certificate and so on.
193	#[corresponds(X509_STORE_CTX_get_error_depth)]
194	pub fn error_depth(&self) -> u32 {
195	unsafe { ffi::X509_STORE_CTX_get_error_depth(self.as_ptr()) as u32 }
196	}
197
198	/// Returns a reference to a complete valid `X509` certificate chain.
199	#[corresponds(X509_STORE_CTX_get0_chain)]
200	pub fn chain(&self) -> Option<&StackRef<X509>> {
201	unsafe {
202	let chain = X509_STORE_CTX_get0_chain(self.as_ptr());
203
204	if chain.is_null() {
205	None
206	} else {
207	Some(StackRef::from_ptr(chain))
208	}
209	}
210	}
211	}
212
213	/// A builder used to construct an `X509`.
214	pub struct X509Builder(X509);
215
216	impl X509Builder {
217	/// Creates a new builder.
218	#[corresponds(X509_new)]
219	pub fn new() -> Result<X509Builder, ErrorStack> {
220	unsafe {
221	ffi::init();
222	cvt_p(ffi::X509_new()).map(\|p\| X509Builder(X509(p)))
223	}
224	}
225
226	/// Sets the notAfter constraint on the certificate.
227	#[corresponds(X509_set1_notAfter)]
228	pub fn set_not_after(&mut self, not_after: &Asn1TimeRef) -> Result<(), ErrorStack> {
229	unsafe { cvt(X509_set1_notAfter(self.0.as_ptr(), not_after.as_ptr())).map(\|_\| ()) }
230	}
231
232	/// Sets the notBefore constraint on the certificate.
233	#[corresponds(X509_set1_notBefore)]
234	pub fn set_not_before(&mut self, not_before: &Asn1TimeRef) -> Result<(), ErrorStack> {
235	unsafe { cvt(X509_set1_notBefore(self.0.as_ptr(), not_before.as_ptr())).map(\|_\| ()) }
236	}
237
238	/// Sets the version of the certificate.
239	///
240	/// Note that the version is zero-indexed; that is, a certificate corresponding to version 3 of
241	/// the X.509 standard should pass `2` to this method.
242	#[corresponds(X509_set_version)]
243	#[allow(clippy::useless_conversion)]
244	pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> {
245	unsafe { cvt(ffi::X509_set_version(self.0.as_ptr(), version as c_long)).map(\|_\| ()) }
246	}
247
248	/// Sets the serial number of the certificate.
249	#[corresponds(X509_set_serialNumber)]
250	pub fn set_serial_number(&mut self, serial_number: &Asn1IntegerRef) -> Result<(), ErrorStack> {
251	unsafe {
252	cvt(ffi::X509_set_serialNumber(
253	self.0.as_ptr(),
254	serial_number.as_ptr(),
255	))
256	.map(\|_\| ())
257	}
258	}
259
260	/// Sets the issuer name of the certificate.
261	#[corresponds(X509_set_issuer_name)]
262	pub fn set_issuer_name(&mut self, issuer_name: &X509NameRef) -> Result<(), ErrorStack> {
263	unsafe {
264	cvt(ffi::X509_set_issuer_name(
265	self.0.as_ptr(),
266	issuer_name.as_ptr(),
267	))
268	.map(\|_\| ())
269	}
270	}
271
272	/// Sets the subject name of the certificate.
273	///
274	/// When building certificates, the `C`, `ST`, and `O` options are common when using the openssl command line tools.
275	/// The `CN` field is used for the common name, such as a DNS name.
276	///
277	/// ```
278	/// use openssl::x509::{X509, X509NameBuilder};
279	///
280	/// let mut x509_name = openssl::x509::X509NameBuilder::new().unwrap();
281	/// x509_name.append_entry_by_text("C", "US").unwrap();
282	/// x509_name.append_entry_by_text("ST", "CA").unwrap();
283	/// x509_name.append_entry_by_text("O", "Some organization").unwrap();
284	/// x509_name.append_entry_by_text("CN", "www.example.com").unwrap();
285	/// let x509_name = x509_name.build();
286	///
287	/// let mut x509 = openssl::x509::X509::builder().unwrap();
288	/// x509.set_subject_name(&x509_name).unwrap();
289	/// ```
290	#[corresponds(X509_set_subject_name)]
291	pub fn set_subject_name(&mut self, subject_name: &X509NameRef) -> Result<(), ErrorStack> {
292	unsafe {
293	cvt(ffi::X509_set_subject_name(
294	self.0.as_ptr(),
295	subject_name.as_ptr(),
296	))
297	.map(\|_\| ())
298	}
299	}
300
301	/// Sets the public key associated with the certificate.
302	#[corresponds(X509_set_pubkey)]
303	pub fn set_pubkey<T>(&mut self, key: &PKeyRef<T>) -> Result<(), ErrorStack>
304	where
305	T: HasPublic,
306	{
307	unsafe { cvt(ffi::X509_set_pubkey(self.0.as_ptr(), key.as_ptr())).map(\|_\| ()) }
308	}
309
310	/// Returns a context object which is needed to create certain X509 extension values.
311	///
312	/// Set `issuer` to `None` if the certificate will be self-signed.
313	#[corresponds(X509V3_set_ctx)]
314	pub fn x509v3_context<'a>(
315	&'a self,
316	issuer: Option<&'a X509Ref>,
317	conf: Option<&'a ConfRef>,
318	) -> X509v3Context<'a> {
319	unsafe {
320	let mut ctx = mem::zeroed();
321
322	let issuer = match issuer {
323	Some(issuer) => issuer.as_ptr(),
324	None => self.0.as_ptr(),
325	};
326	let subject = self.0.as_ptr();
327	ffi::X509V3_set_ctx(
328	&mut ctx,
329	issuer,
330	subject,
331	ptr::null_mut(),
332	ptr::null_mut(),
333	`0`,
334	);
335
336	// nodb case taken care of since we zeroed ctx above
337	if let Some(conf) = conf {
338	ffi::X509V3_set_nconf(&mut ctx, conf.as_ptr());
339	}
340
341	X509v3Context(ctx, PhantomData)
342	}
343	}
344
345	/// Adds an X509 extension value to the certificate.
346	///
347	/// This works just as `append_extension` except it takes ownership of the `X509Extension`.
348	pub fn append_extension(&mut self, extension: X509Extension) -> Result<(), ErrorStack> {
349	self.append_extension2(&extension)
350	}
351
352	/// Adds an X509 extension value to the certificate.
353	#[corresponds(X509_add_ext)]
354	pub fn append_extension2(&mut self, extension: &X509ExtensionRef) -> Result<(), ErrorStack> {
355	unsafe {
356	cvt(ffi::X509_add_ext(self.0.as_ptr(), extension.as_ptr(), `-1`))?;
357	Ok(())
358	}
359	}
360
361	/// Signs the certificate with a private key.
362	#[corresponds(X509_sign)]
363	pub fn sign<T>(&mut self, key: &PKeyRef<T>, hash: MessageDigest) -> Result<(), ErrorStack>
364	where
365	T: HasPrivate,
366	{
367	unsafe { cvt(ffi::X509_sign(self.0.as_ptr(), key.as_ptr(), hash.as_ptr())).map(\|_\| ()) }
368	}
369
370	/// Consumes the builder, returning the certificate.
371	pub fn build(self) -> X509 {
372	self.0
373	}
374	}
375
376	foreign_type_and_impl_send_sync! {
377	type CType = ffi::X509;
378	fn drop = ffi::X509_free;
379
380	/// An `X509` public key certificate.
381	pub struct X509;
382	/// Reference to `X509`.
383	pub struct X509Ref;
384	}
385
386	impl X509Ref {
387	/// Returns this certificate's subject name.
388	#[corresponds(X509_get_subject_name)]
389	pub fn subject_name(&self) -> &X509NameRef {
390	unsafe {
391	let name = ffi::X509_get_subject_name(self.as_ptr());
392	X509NameRef::from_const_ptr_opt(name).expect("subject name must not be null")
393	}
394	}
395
396	/// Returns the hash of the certificates subject
397	#[corresponds(X509_subject_name_hash)]
398	pub fn subject_name_hash(&self) -> u32 {
399	#[allow(clippy::unnecessary_cast)]
400	unsafe {
401	ffi::X509_subject_name_hash(self.as_ptr()) as u32
402	}
403	}
404
405	/// Returns this certificate's issuer name.
406	#[corresponds(X509_get_issuer_name)]
407	pub fn issuer_name(&self) -> &X509NameRef {
408	unsafe {
409	let name = ffi::X509_get_issuer_name(self.as_ptr());
410	X509NameRef::from_const_ptr_opt(name).expect("issuer name must not be null")
411	}
412	}
413
414	/// Returns the hash of the certificates issuer
415	#[corresponds(X509_issuer_name_hash)]
416	pub fn issuer_name_hash(&self) -> u32 {
417	#[allow(clippy::unnecessary_cast)]
418	unsafe {
419	ffi::X509_issuer_name_hash(self.as_ptr()) as u32
420	}
421	}
422
423	/// Returns this certificate's subject alternative name entries, if they exist.
424	#[corresponds(X509_get_ext_d2i)]
425	pub fn subject_alt_names(&self) -> Option<Stack<GeneralName>> {
426	unsafe {
427	let stack = ffi::X509_get_ext_d2i(
428	self.as_ptr(),
429	ffi::NID_subject_alt_name,
430	ptr::null_mut(),
431	ptr::null_mut(),
432	);
433	Stack::from_ptr_opt(stack as *mut _)
434	}
435	}
436
437	/// Returns this certificate's CRL distribution points, if they exist.
438	#[corresponds(X509_get_ext_d2i)]
439	pub fn crl_distribution_points(&self) -> Option<Stack<DistPoint>> {
440	unsafe {
441	let stack = ffi::X509_get_ext_d2i(
442	self.as_ptr(),
443	ffi::NID_crl_distribution_points,
444	ptr::null_mut(),
445	ptr::null_mut(),
446	);
447	Stack::from_ptr_opt(stack as *mut _)
448	}
449	}
450
451	/// Returns this certificate's issuer alternative name entries, if they exist.
452	#[corresponds(X509_get_ext_d2i)]
453	pub fn issuer_alt_names(&self) -> Option<Stack<GeneralName>> {
454	unsafe {
455	let stack = ffi::X509_get_ext_d2i(
456	self.as_ptr(),
457	ffi::NID_issuer_alt_name,
458	ptr::null_mut(),
459	ptr::null_mut(),
460	);
461	Stack::from_ptr_opt(stack as *mut _)
462	}
463	}
464
465	/// Returns this certificate's [`authority information access`] entries, if they exist.
466	///
467	/// [`authority information access`]: https://tools.ietf.org/html/rfc5280#section-4.2.2.1
468	#[corresponds(X509_get_ext_d2i)]
469	pub fn authority_info(&self) -> Option<Stack<AccessDescription>> {
470	unsafe {
471	let stack = ffi::X509_get_ext_d2i(
472	self.as_ptr(),
473	ffi::NID_info_access,
474	ptr::null_mut(),
475	ptr::null_mut(),
476	);
477	Stack::from_ptr_opt(stack as *mut _)
478	}
479	}
480
481	/// Retrieves the path length extension from a certificate, if it exists.
482	#[corresponds(X509_get_pathlen)]
483	#[cfg(any(ossl110, boringssl))]
484	pub fn pathlen(&self) -> Option<u32> {
485	let v = unsafe { ffi::X509_get_pathlen(self.as_ptr()) };
486	u32::try_from(v).ok()
487	}
488
489	/// Returns this certificate's subject key id, if it exists.
490	#[corresponds(X509_get0_subject_key_id)]
491	#[cfg(any(ossl110, boringssl))]
492	pub fn subject_key_id(&self) -> Option<&Asn1OctetStringRef> {
493	unsafe {
494	let data = ffi::X509_get0_subject_key_id(self.as_ptr());
495	Asn1OctetStringRef::from_const_ptr_opt(data)
496	}
497	}
498
499	/// Returns this certificate's authority key id, if it exists.
500	#[corresponds(X509_get0_authority_key_id)]
501	#[cfg(any(ossl110, boringssl))]
502	pub fn authority_key_id(&self) -> Option<&Asn1OctetStringRef> {
503	unsafe {
504	let data = ffi::X509_get0_authority_key_id(self.as_ptr());
505	Asn1OctetStringRef::from_const_ptr_opt(data)
506	}
507	}
508
509	/// Returns this certificate's authority issuer name entries, if they exist.
510	#[corresponds(X509_get0_authority_issuer)]
511	#[cfg(ossl111d)]
512	pub fn authority_issuer(&self) -> Option<&StackRef<GeneralName>> {
513	unsafe {
514	let stack = ffi::X509_get0_authority_issuer(self.as_ptr());
515	StackRef::from_const_ptr_opt(stack)
516	}
517	}
518
519	/// Returns this certificate's authority serial number, if it exists.
520	#[corresponds(X509_get0_authority_serial)]
521	#[cfg(ossl111d)]
522	pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> {
523	unsafe {
524	let r = ffi::X509_get0_authority_serial(self.as_ptr());
525	Asn1IntegerRef::from_const_ptr_opt(r)
526	}
527	}
528
529	#[corresponds(X509_get_pubkey)]
530	pub fn public_key(&self) -> Result<PKey<Public>, ErrorStack> {
531	unsafe {
532	let pkey = cvt_p(ffi::X509_get_pubkey(self.as_ptr()))?;
533	Ok(PKey::from_ptr(pkey))
534	}
535	}
536
537	/// Returns a digest of the DER representation of the certificate.
538	#[corresponds(X509_digest)]
539	pub fn digest(&self, hash_type: MessageDigest) -> Result<DigestBytes, ErrorStack> {
540	unsafe {
541	let mut digest = DigestBytes {
542	buf: [`0`; ffi::EVP_MAX_MD_SIZE as usize],
543	len: ffi::EVP_MAX_MD_SIZE as usize,
544	};
545	let mut len = ffi::EVP_MAX_MD_SIZE as c_uint;
546	cvt(ffi::X509_digest(
547	self.as_ptr(),
548	hash_type.as_ptr(),
549	digest.buf.as_mut_ptr() as *mut _,
550	&mut len,
551	))?;
552	digest.len = len as usize;
553
554	Ok(digest)
555	}
556	}
557
558	#[deprecated(since = "0.10.9", note = "renamed to digest")]
559	pub fn fingerprint(&self, hash_type: MessageDigest) -> Result<Vec<u8>, ErrorStack> {
560	self.digest(hash_type).map(\|b\| b.to_vec())
561	}
562
563	/// Returns the certificate's Not After validity period.
564	#[corresponds(X509_getm_notAfter)]
565	pub fn not_after(&self) -> &Asn1TimeRef {
566	unsafe {
567	let date = X509_getm_notAfter(self.as_ptr());
568	Asn1TimeRef::from_const_ptr_opt(date).expect("not_after must not be null")
569	}
570	}
571
572	/// Returns the certificate's Not Before validity period.
573	#[corresponds(X509_getm_notBefore)]
574	pub fn not_before(&self) -> &Asn1TimeRef {
575	unsafe {
576	let date = X509_getm_notBefore(self.as_ptr());
577	Asn1TimeRef::from_const_ptr_opt(date).expect("not_before must not be null")
578	}
579	}
580
581	/// Returns the certificate's signature
582	#[corresponds(X509_get0_signature)]
583	pub fn signature(&self) -> &Asn1BitStringRef {
584	unsafe {
585	let mut signature = ptr::null();
586	X509_get0_signature(&mut signature, ptr::null_mut(), self.as_ptr());
587	Asn1BitStringRef::from_const_ptr_opt(signature).expect("signature must not be null")
588	}
589	}
590
591	/// Returns the certificate's signature algorithm.
592	#[corresponds(X509_get0_signature)]
593	pub fn signature_algorithm(&self) -> &X509AlgorithmRef {
594	unsafe {
595	let mut algor = ptr::null();
596	X509_get0_signature(ptr::null_mut(), &mut algor, self.as_ptr());
597	X509AlgorithmRef::from_const_ptr_opt(algor)
598	.expect("signature algorithm must not be null")
599	}
600	}
601
602	/// Returns the list of OCSP responder URLs specified in the certificate's Authority Information
603	/// Access field.
604	#[corresponds(X509_get1_ocsp)]
605	pub fn ocsp_responders(&self) -> Result<Stack<OpensslString>, ErrorStack> {
606	unsafe { cvt_p(ffi::X509_get1_ocsp(self.as_ptr())).map(\|p\| Stack::from_ptr(p)) }
607	}
608
609	/// Checks that this certificate issued `subject`.
610	#[corresponds(X509_check_issued)]
611	pub fn issued(&self, subject: &X509Ref) -> X509VerifyResult {
612	unsafe {
613	let r = ffi::X509_check_issued(self.as_ptr(), subject.as_ptr());
614	X509VerifyResult::from_raw(r)
615	}
616	}
617
618	/// Returns certificate version. If this certificate has no explicit version set, it defaults to
619	/// version 1.
620	///
621	/// Note that `0` return value stands for version 1, `1` for version 2 and so on.
622	#[corresponds(X509_get_version)]
623	#[cfg(ossl110)]
624	#[allow(clippy::unnecessary_cast)]
625	pub fn version(&self) -> i32 {
626	unsafe { ffi::X509_get_version(self.as_ptr()) as i32 }
627	}
628
629	/// Check if the certificate is signed using the given public key.
630	///
631	/// Only the signature is checked: no other checks (such as certificate chain validity)
632	/// are performed.
633	///
634	/// Returns `true` if verification succeeds.
635	#[corresponds(X509_verify)]
636	pub fn verify<T>(&self, key: &PKeyRef<T>) -> Result<bool, ErrorStack>
637	where
638	T: HasPublic,
639	{
640	unsafe { cvt_n(ffi::X509_verify(self.as_ptr(), key.as_ptr())).map(\|n\| n != `0`) }
641	}
642
643	/// Returns this certificate's serial number.
644	#[corresponds(X509_get_serialNumber)]
645	pub fn serial_number(&self) -> &Asn1IntegerRef {
646	unsafe {
647	let r = ffi::X509_get_serialNumber(self.as_ptr());
648	Asn1IntegerRef::from_const_ptr_opt(r).expect("serial number must not be null")
649	}
650	}
651
652	to_pem! {
653	/// Serializes the certificate into a PEM-encoded X509 structure.
654	///
655	/// The output will have a header of `-----BEGIN CERTIFICATE-----`.
656	#[corresponds(PEM_write_bio_X509)]
657	to_pem,
658	ffi::PEM_write_bio_X509
659	}
660
661	to_der! {
662	/// Serializes the certificate into a DER-encoded X509 structure.
663	#[corresponds(i2d_X509)]
664	to_der,
665	ffi::i2d_X509
666	}
667
668	to_pem! {
669	/// Converts the certificate to human readable text.
670	#[corresponds(X509_print)]
671	to_text,
672	ffi::X509_print
673	}
674	}
675
676	impl ToOwned for X509Ref {
677	type Owned = X509;
678
679	fn to_owned(&self) -> X509 {
680	unsafe {
681	X509_up_ref(self.as_ptr());
682	X509::from_ptr(self.as_ptr())
683	}
684	}
685	}
686
687	impl Ord for X509Ref {
688	fn cmp(&self, other: &Self) -> cmp::Ordering {
689	// X509_cmp returns a number <0 for less than, 0 for equal and >0 for greater than.
690	// It can't fail if both pointers are valid, which we know is true.
691	let cmp: i32 = unsafe { ffi::X509_cmp(self.as_ptr(), b:other.as_ptr()) };
692	cmp.cmp(&`0`)
693	}
694	}
695
696	impl PartialOrd for X509Ref {
697	fn partial_cmp(&self, other: &Self) -> Option<cmp::Ordering> {
698	Some(self.cmp(other))
699	}
700	}
701
702	impl PartialOrd<X509> for X509Ref {
703	fn partial_cmp(&self, other: &X509) -> Option<cmp::Ordering> {
704	<X509Ref as PartialOrd<X509Ref>>::partial_cmp(self, other)
705	}
706	}
707
708	impl PartialEq for X509Ref {
709	fn eq(&self, other: &Self) -> bool {
710	self.cmp(other) == cmp::Ordering::Equal
711	}
712	}
713
714	impl PartialEq<X509> for X509Ref {
715	fn eq(&self, other: &X509) -> bool {
716	<X509Ref as PartialEq<X509Ref>>::eq(self, other)
717	}
718	}
719
720	impl Eq for X509Ref {}
721
722	impl X509 {
723	/// Returns a new builder.
724	pub fn builder() -> Result<X509Builder, ErrorStack> {
725	X509Builder::new()
726	}
727
728	from_pem! {
729	/// Deserializes a PEM-encoded X509 structure.
730	///
731	/// The input should have a header of `-----BEGIN CERTIFICATE-----`.
732	#[corresponds(PEM_read_bio_X509)]
733	from_pem,
734	X509,
735	ffi::PEM_read_bio_X509
736	}
737
738	from_der! {
739	/// Deserializes a DER-encoded X509 structure.
740	#[corresponds(d2i_X509)]
741	from_der,
742	X509,
743	ffi::d2i_X509
744	}
745
746	/// Deserializes a list of PEM-formatted certificates.
747	#[corresponds(PEM_read_bio_X509)]
748	pub fn stack_from_pem(pem: &[u8]) -> Result<Vec<X509>, ErrorStack> {
749	unsafe {
750	ffi::init();
751	let bio = MemBioSlice::new(pem)?;
752
753	let mut certs = vec![];
754	loop {
755	let r =
756	ffi::PEM_read_bio_X509(bio.as_ptr(), ptr::null_mut(), None, ptr::null_mut());
757	if r.is_null() {
758	let e = ErrorStack::get();
759
760	if let Some(err) = e.errors().last() {
761	if err.library_code() == ffi::ERR_LIB_PEM as libc::c_int
762	&& err.reason_code() == ffi::PEM_R_NO_START_LINE as libc::c_int
763	{
764	break;
765	}
766	}
767
768	return Err(e);
769	} else {
770	certs.push(X509(r));
771	}
772	}
773
774	Ok(certs)
775	}
776	}
777	}
778
779	impl Clone for X509 {
780	fn clone(&self) -> X509 {
781	X509Ref::to_owned(self)
782	}
783	}
784
785	impl fmt::Debug for X509 {
786	fn fmt(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {
787	let serial = match &self.serial_number().to_bn() {
788	Ok(bn) => match bn.to_hex_str() {
789	Ok(hex) => hex.to_string(),
790	Err(_) => "".to_string(),
791	},
792	Err(_) => "".to_string(),
793	};
794	let mut debug_struct = formatter.debug_struct("X509");
795	debug_struct.field("serial_number", &serial);
796	debug_struct.field("signature_algorithm", &self.signature_algorithm().object());
797	debug_struct.field("issuer", &self.issuer_name());
798	debug_struct.field("subject", &self.subject_name());
799	if let Some(subject_alt_names) = &self.subject_alt_names() {
800	debug_struct.field("subject_alt_names", subject_alt_names);
801	}
802	debug_struct.field("not_before", &self.not_before());
803	debug_struct.field("not_after", &self.not_after());
804
805	if let Ok(public_key) = &self.public_key() {
806	debug_struct.field("public_key", public_key);
807	};
808	// TODO: Print extensions once they are supported on the X509 struct.
809
810	debug_struct.finish()
811	}
812	}
813
814	impl AsRef<X509Ref> for X509Ref {
815	fn as_ref(&self) -> &X509Ref {
816	self
817	}
818	}
819
820	impl Stackable for X509 {
821	type StackType = ffi::stack_st_X509;
822	}
823
824	impl Ord for X509 {
825	fn cmp(&self, other: &Self) -> cmp::Ordering {
826	X509Ref::cmp(self, other)
827	}
828	}
829
830	impl PartialOrd for X509 {
831	fn partial_cmp(&self, other: &Self) -> Option<cmp::Ordering> {
832	Some(self.cmp(other))
833	}
834	}
835
836	impl PartialOrd<X509Ref> for X509 {
837	fn partial_cmp(&self, other: &X509Ref) -> Option<cmp::Ordering> {
838	X509Ref::partial_cmp(self, other)
839	}
840	}
841
842	impl PartialEq for X509 {
843	fn eq(&self, other: &Self) -> bool {
844	X509Ref::eq(self, other)
845	}
846	}
847
848	impl PartialEq<X509Ref> for X509 {
849	fn eq(&self, other: &X509Ref) -> bool {
850	X509Ref::eq(self, other)
851	}
852	}
853
854	impl Eq for X509 {}
855
856	/// A context object required to construct certain `X509` extension values.
857	pub struct X509v3Context<'a>(ffi::X509V3_CTX, PhantomData<(&'a X509Ref, &'a ConfRef)>);
858
859	impl<'a> X509v3Context<'a> {
860	pub fn as_ptr(&self) -> *mut ffi::X509V3_CTX {
861	&self.0 as *const _ as *mut _
862	}
863	}
864
865	foreign_type_and_impl_send_sync! {
866	type CType = ffi::X509_EXTENSION;
867	fn drop = ffi::X509_EXTENSION_free;
868
869	/// Permit additional fields to be added to an `X509` v3 certificate.
870	pub struct X509Extension;
871	/// Reference to `X509Extension`.
872	pub struct X509ExtensionRef;
873	}
874
875	impl Stackable for X509Extension {
876	type StackType = ffi::stack_st_X509_EXTENSION;
877	}
878
879	impl X509Extension {
880	/// Constructs an X509 extension value. See `man x509v3_config` for information on supported
881	/// names and their value formats.
882	///
883	/// Some extension types, such as `subjectAlternativeName`, require an `X509v3Context` to be
884	/// provided.
885	///
886	/// DO NOT CALL THIS WITH UNTRUSTED `value`: `value` is an OpenSSL
887	/// mini-language that can read arbitrary files.
888	///
889	/// See the extension module for builder types which will construct certain common extensions.
890	///
891	/// This function is deprecated, `X509Extension::new_from_der` or the
892	/// types in `x509::extension` should be used in its place.
893	#[deprecated(
894	note = "Use x509::extension types or new_from_der instead",
895	since = "0.10.51"
896	)]
897	pub fn new(
898	conf: Option<&ConfRef>,
899	context: Option<&X509v3Context<'_>>,
900	name: &str,
901	value: &str,
902	) -> Result<X509Extension, ErrorStack> {
903	let name = CString::new(name).unwrap();
904	let value = CString::new(value).unwrap();
905	let mut ctx;
906	unsafe {
907	ffi::init();
908	let conf = conf.map_or(ptr::null_mut(), ConfRef::as_ptr);
909	let context_ptr = match context {
910	Some(c) => c.as_ptr(),
911	None => {
912	ctx = mem::zeroed();
913
914	ffi::X509V3_set_ctx(
915	&mut ctx,
916	ptr::null_mut(),
917	ptr::null_mut(),
918	ptr::null_mut(),
919	ptr::null_mut(),
920	`0`,
921	);
922	&mut ctx
923	}
924	};
925	let name = name.as_ptr() as *mut _;
926	let value = value.as_ptr() as *mut _;
927
928	cvt_p(ffi::X509V3_EXT_nconf(conf, context_ptr, name, value)).map(X509Extension)
929	}
930	}
931
932	/// Constructs an X509 extension value. See `man x509v3_config` for information on supported
933	/// extensions and their value formats.
934	///
935	/// Some extension types, such as `nid::SUBJECT_ALTERNATIVE_NAME`, require an `X509v3Context` to
936	/// be provided.
937	///
938	/// DO NOT CALL THIS WITH UNTRUSTED `value`: `value` is an OpenSSL
939	/// mini-language that can read arbitrary files.
940	///
941	/// See the extension module for builder types which will construct certain common extensions.
942	///
943	/// This function is deprecated, `X509Extension::new_from_der` or the
944	/// types in `x509::extension` should be used in its place.
945	#[deprecated(
946	note = "Use x509::extension types or new_from_der instead",
947	since = "0.10.51"
948	)]
949	pub fn new_nid(
950	conf: Option<&ConfRef>,
951	context: Option<&X509v3Context<'_>>,
952	name: Nid,
953	value: &str,
954	) -> Result<X509Extension, ErrorStack> {
955	let value = CString::new(value).unwrap();
956	let mut ctx;
957	unsafe {
958	ffi::init();
959	let conf = conf.map_or(ptr::null_mut(), ConfRef::as_ptr);
960	let context_ptr = match context {
961	Some(c) => c.as_ptr(),
962	None => {
963	ctx = mem::zeroed();
964
965	ffi::X509V3_set_ctx(
966	&mut ctx,
967	ptr::null_mut(),
968	ptr::null_mut(),
969	ptr::null_mut(),
970	ptr::null_mut(),
971	`0`,
972	);
973	&mut ctx
974	}
975	};
976	let name = name.as_raw();
977	let value = value.as_ptr() as *mut _;
978
979	cvt_p(ffi::X509V3_EXT_nconf_nid(conf, context_ptr, name, value)).map(X509Extension)
980	}
981	}
982
983	/// Constructs a new X509 extension value from its OID, whether it's
984	/// critical, and its DER contents.
985	///
986	/// The extent structure of the DER value will vary based on the
987	/// extension type, and can generally be found in the RFC defining the
988	/// extension.
989	///
990	/// For common extension types, there are Rust APIs provided in
991	/// `openssl::x509::extensions` which are more ergonomic.
992	pub fn new_from_der(
993	oid: &Asn1ObjectRef,
994	critical: bool,
995	der_contents: &Asn1OctetStringRef,
996	) -> Result<X509Extension, ErrorStack> {
997	unsafe {
998	cvt_p(ffi::X509_EXTENSION_create_by_OBJ(
999	ptr::null_mut(),
1000	oid.as_ptr(),
1001	critical as _,
1002	der_contents.as_ptr(),
1003	))
1004	.map(X509Extension)
1005	}
1006	}
1007
1008	pub(crate) unsafe fn new_internal(
1009	nid: Nid,
1010	critical: bool,
1011	value: *mut c_void,
1012	) -> Result<X509Extension, ErrorStack> {
1013	ffi::init();
1014	cvt_p(ffi::X509V3_EXT_i2d(nid.as_raw(), critical as _, value)).map(X509Extension)
1015	}
1016
1017	/// Adds an alias for an extension
1018	///
1019	/// # Safety
1020	///
1021	/// This method modifies global state without locking and therefore is not thread safe
1022	#[cfg(not(libressl390))]
1023	#[corresponds(X509V3_EXT_add_alias)]
1024	#[deprecated(
1025	note = "Use x509::extension types or new_from_der and then this is not necessary",
1026	since = "0.10.51"
1027	)]
1028	pub unsafe fn add_alias(to: Nid, from: Nid) -> Result<(), ErrorStack> {
1029	ffi::init();
1030	cvt(ffi::X509V3_EXT_add_alias(to.as_raw(), from.as_raw())).map(\|_\| ())
1031	}
1032	}
1033
1034	impl X509ExtensionRef {
1035	to_der! {
1036	/// Serializes the Extension to its standard DER encoding.
1037	#[corresponds(i2d_X509_EXTENSION)]
1038	to_der,
1039	ffi::i2d_X509_EXTENSION
1040	}
1041	}
1042
1043	/// A builder used to construct an `X509Name`.
1044	pub struct X509NameBuilder(X509Name);
1045
1046	impl X509NameBuilder {
1047	/// Creates a new builder.
1048	pub fn new() -> Result<X509NameBuilder, ErrorStack> {
1049	unsafe {
1050	ffi::init();
1051	cvt_p(ffi::X509_NAME_new()).map(\|p\| X509NameBuilder(X509Name(p)))
1052	}
1053	}
1054
1055	/// Add a name entry
1056	#[corresponds(X509_NAME_add_entry)]
1057	#[cfg(any(ossl101, libressl350))]
1058	pub fn append_entry(&mut self, ne: &X509NameEntryRef) -> std::result::Result<(), ErrorStack> {
1059	unsafe {
1060	cvt(ffi::X509_NAME_add_entry(
1061	self.0.as_ptr(),
1062	ne.as_ptr(),
1063	`-1`,
1064	`0`,
1065	))
1066	.map(\|_\| ())
1067	}
1068	}
1069
1070	/// Add a field entry by str.
1071	///
1072	/// This corresponds to [`X509_NAME_add_entry_by_txt`].
1073	///
1074	/// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_txt.html
1075	pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> {
1076	unsafe {
1077	let field = CString::new(field).unwrap();
1078	assert!(value.len() <= crate::SLenType::max_value() as usize);
1079	cvt(ffi::X509_NAME_add_entry_by_txt(
1080	self.0.as_ptr(),
1081	field.as_ptr() as *mut _,
1082	ffi::MBSTRING_UTF8,
1083	value.as_ptr(),
1084	value.len() as crate::SLenType,
1085	`-1`,
1086	`0`,
1087	))
1088	.map(\|_\| ())
1089	}
1090	}
1091
1092	/// Add a field entry by str with a specific type.
1093	///
1094	/// This corresponds to [`X509_NAME_add_entry_by_txt`].
1095	///
1096	/// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_txt.html
1097	pub fn append_entry_by_text_with_type(
1098	&mut self,
1099	field: &str,
1100	value: &str,
1101	ty: Asn1Type,
1102	) -> Result<(), ErrorStack> {
1103	unsafe {
1104	let field = CString::new(field).unwrap();
1105	assert!(value.len() <= crate::SLenType::max_value() as usize);
1106	cvt(ffi::X509_NAME_add_entry_by_txt(
1107	self.0.as_ptr(),
1108	field.as_ptr() as *mut _,
1109	ty.as_raw(),
1110	value.as_ptr(),
1111	value.len() as crate::SLenType,
1112	`-1`,
1113	`0`,
1114	))
1115	.map(\|_\| ())
1116	}
1117	}
1118
1119	/// Add a field entry by NID.
1120	///
1121	/// This corresponds to [`X509_NAME_add_entry_by_NID`].
1122	///
1123	/// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html
1124	pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> {
1125	unsafe {
1126	assert!(value.len() <= crate::SLenType::max_value() as usize);
1127	cvt(ffi::X509_NAME_add_entry_by_NID(
1128	self.0.as_ptr(),
1129	field.as_raw(),
1130	ffi::MBSTRING_UTF8,
1131	value.as_ptr() as *mut _,
1132	value.len() as crate::SLenType,
1133	`-1`,
1134	`0`,
1135	))
1136	.map(\|_\| ())
1137	}
1138	}
1139
1140	/// Add a field entry by NID with a specific type.
1141	///
1142	/// This corresponds to [`X509_NAME_add_entry_by_NID`].
1143	///
1144	/// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html
1145	pub fn append_entry_by_nid_with_type(
1146	&mut self,
1147	field: Nid,
1148	value: &str,
1149	ty: Asn1Type,
1150	) -> Result<(), ErrorStack> {
1151	unsafe {
1152	assert!(value.len() <= crate::SLenType::max_value() as usize);
1153	cvt(ffi::X509_NAME_add_entry_by_NID(
1154	self.0.as_ptr(),
1155	field.as_raw(),
1156	ty.as_raw(),
1157	value.as_ptr() as *mut _,
1158	value.len() as crate::SLenType,
1159	`-1`,
1160	`0`,
1161	))
1162	.map(\|_\| ())
1163	}
1164	}
1165
1166	/// Return an `X509Name`.
1167	pub fn build(self) -> X509Name {
1168	// Round-trip through bytes because OpenSSL is not const correct and
1169	// names in a "modified" state compute various things lazily. This can
1170	// lead to data-races because OpenSSL doesn't have locks or anything.
1171	X509Name::from_der(&self.0.to_der().unwrap()).unwrap()
1172	}
1173	}
1174
1175	foreign_type_and_impl_send_sync! {
1176	type CType = ffi::X509_NAME;
1177	fn drop = ffi::X509_NAME_free;
1178
1179	/// The names of an `X509` certificate.
1180	pub struct X509Name;
1181	/// Reference to `X509Name`.
1182	pub struct X509NameRef;
1183	}
1184
1185	impl X509Name {
1186	/// Returns a new builder.
1187	pub fn builder() -> Result<X509NameBuilder, ErrorStack> {
1188	X509NameBuilder::new()
1189	}
1190
1191	/// Loads subject names from a file containing PEM-formatted certificates.
1192	///
1193	/// This is commonly used in conjunction with `SslContextBuilder::set_client_ca_list`.
1194	pub fn load_client_ca_file<P: AsRef<Path>>(file: P) -> Result<Stack<X509Name>, ErrorStack> {
1195	let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap();
1196	unsafe { cvt_p(ffi::SSL_load_client_CA_file(file.as_ptr())).map(\|p\| Stack::from_ptr(p)) }
1197	}
1198
1199	from_der! {
1200	/// Deserializes a DER-encoded X509 name structure.
1201	///
1202	/// This corresponds to [`d2i_X509_NAME`].
1203	///
1204	/// [`d2i_X509_NAME`]: https://www.openssl.org/docs/manmaster/man3/d2i_X509_NAME.html
1205	from_der,
1206	X509Name,
1207	ffi::d2i_X509_NAME
1208	}
1209	}
1210
1211	impl Stackable for X509Name {
1212	type StackType = ffi::stack_st_X509_NAME;
1213	}
1214
1215	impl X509NameRef {
1216	/// Returns the name entries by the nid.
1217	pub fn entries_by_nid(&self, nid: Nid) -> X509NameEntries<'_> {
1218	X509NameEntries {
1219	name: self,
1220	nid: Some(nid),
1221	loc: `-1`,
1222	}
1223	}
1224
1225	/// Returns an iterator over all `X509NameEntry` values
1226	pub fn entries(&self) -> X509NameEntries<'_> {
1227	X509NameEntries {
1228	name: self,
1229	nid: None,
1230	loc: `-1`,
1231	}
1232	}
1233
1234	/// Compare two names, like [`Ord`] but it may fail.
1235	///
1236	/// With OpenSSL versions from 3.0.0 this may return an error if the underlying `X509_NAME_cmp`
1237	/// call fails.
1238	/// For OpenSSL versions before 3.0.0 it will never return an error, but due to a bug it may
1239	/// spuriously return `Ordering::Less` if the `X509_NAME_cmp` call fails.
1240	#[corresponds(X509_NAME_cmp)]
1241	pub fn try_cmp(&self, other: &X509NameRef) -> Result<Ordering, ErrorStack> {
1242	let cmp = unsafe { ffi::X509_NAME_cmp(self.as_ptr(), other.as_ptr()) };
1243	if cfg!(ossl300) && cmp == `-2` {
1244	return Err(ErrorStack::get());
1245	}
1246	Ok(cmp.cmp(&`0`))
1247	}
1248
1249	/// Copies the name to a new `X509Name`.
1250	#[corresponds(X509_NAME_dup)]
1251	#[cfg(any(boringssl, ossl110, libressl270))]
1252	pub fn to_owned(&self) -> Result<X509Name, ErrorStack> {
1253	unsafe { cvt_p(ffi::X509_NAME_dup(self.as_ptr())).map(\|n\| X509Name::from_ptr(n)) }
1254	}
1255
1256	to_der! {
1257	/// Serializes the certificate into a DER-encoded X509 name structure.
1258	///
1259	/// This corresponds to [`i2d_X509_NAME`].
1260	///
1261	/// [`i2d_X509_NAME`]: https://www.openssl.org/docs/manmaster/crypto/i2d_X509_NAME.html
1262	to_der,
1263	ffi::i2d_X509_NAME
1264	}
1265	}
1266
1267	impl fmt::Debug for X509NameRef {
1268	fn fmt(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {
1269	formatter.debug_list().entries(self.entries()).finish()
1270	}
1271	}
1272
1273	/// A type to destructure and examine an `X509Name`.
1274	pub struct X509NameEntries<'a> {
1275	name: &'a X509NameRef,
1276	nid: Option<Nid>,
1277	loc: c_int,
1278	}
1279
1280	impl<'a> Iterator for X509NameEntries<'a> {
1281	type Item = &'a X509NameEntryRef;
1282
1283	fn next(&mut self) -> Option<&'a X509NameEntryRef> {
1284	unsafe {
1285	match self.nid {
1286	Some(nid) => {
1287	// There is a `Nid` specified to search for
1288	self.loc =
1289	ffi::X509_NAME_get_index_by_NID(self.name.as_ptr(), nid.as_raw(), self.loc);
1290	if self.loc == `-1` {
1291	return None;
1292	}
1293	}
1294	None => {
1295	// Iterate over all `Nid`s
1296	self.loc += `1`;
1297	if self.loc >= ffi::X509_NAME_entry_count(self.name.as_ptr()) {
1298	return None;
1299	}
1300	}
1301	}
1302
1303	let entry = ffi::X509_NAME_get_entry(self.name.as_ptr(), self.loc);
1304
1305	Some(X509NameEntryRef::from_const_ptr_opt(entry).expect("entry must not be null"))
1306	}
1307	}
1308	}
1309
1310	foreign_type_and_impl_send_sync! {
1311	type CType = ffi::X509_NAME_ENTRY;
1312	fn drop = ffi::X509_NAME_ENTRY_free;
1313
1314	/// A name entry associated with a `X509Name`.
1315	pub struct X509NameEntry;
1316	/// Reference to `X509NameEntry`.
1317	pub struct X509NameEntryRef;
1318	}
1319
1320	impl X509NameEntryRef {
1321	/// Returns the field value of an `X509NameEntry`.
1322	///
1323	/// This corresponds to [`X509_NAME_ENTRY_get_data`].
1324	///
1325	/// [`X509_NAME_ENTRY_get_data`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_ENTRY_get_data.html
1326	pub fn data(&self) -> &Asn1StringRef {
1327	unsafe {
1328	let data = ffi::X509_NAME_ENTRY_get_data(self.as_ptr());
1329	Asn1StringRef::from_ptr(data)
1330	}
1331	}
1332
1333	/// Returns the `Asn1Object` value of an `X509NameEntry`.
1334	/// This is useful for finding out about the actual `Nid` when iterating over all `X509NameEntries`.
1335	///
1336	/// This corresponds to [`X509_NAME_ENTRY_get_object`].
1337	///
1338	/// [`X509_NAME_ENTRY_get_object`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_ENTRY_get_object.html
1339	pub fn object(&self) -> &Asn1ObjectRef {
1340	unsafe {
1341	let object = ffi::X509_NAME_ENTRY_get_object(self.as_ptr());
1342	Asn1ObjectRef::from_ptr(object)
1343	}
1344	}
1345	}
1346
1347	impl fmt::Debug for X509NameEntryRef {
1348	fn fmt(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {
1349	formatter.write_fmt(format_args!("{:?} = {:?}", self.object(), self.data()))
1350	}
1351	}
1352
1353	/// A builder used to construct an `X509Req`.
1354	pub struct X509ReqBuilder(X509Req);
1355
1356	impl X509ReqBuilder {
1357	/// Returns a builder for a certificate request.
1358	///
1359	/// This corresponds to [`X509_REQ_new`].
1360	///
1361	///[`X509_REQ_new`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_new.html
1362	pub fn new() -> Result<X509ReqBuilder, ErrorStack> {
1363	unsafe {
1364	ffi::init();
1365	cvt_p(ffi::X509_REQ_new()).map(\|p\| X509ReqBuilder(X509Req(p)))
1366	}
1367	}
1368
1369	/// Set the numerical value of the version field.
1370	///
1371	/// This corresponds to [`X509_REQ_set_version`].
1372	///
1373	///[`X509_REQ_set_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_version.html
1374	#[allow(clippy::useless_conversion)]
1375	pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> {
1376	unsafe {
1377	cvt(ffi::X509_REQ_set_version(
1378	self.0.as_ptr(),
1379	version as c_long,
1380	))
1381	.map(\|_\| ())
1382	}
1383	}
1384
1385	/// Set the issuer name.
1386	///
1387	/// This corresponds to [`X509_REQ_set_subject_name`].
1388	///
1389	/// [`X509_REQ_set_subject_name`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_subject_name.html
1390	pub fn set_subject_name(&mut self, subject_name: &X509NameRef) -> Result<(), ErrorStack> {
1391	unsafe {
1392	cvt(ffi::X509_REQ_set_subject_name(
1393	self.0.as_ptr(),
1394	subject_name.as_ptr(),
1395	))
1396	.map(\|_\| ())
1397	}
1398	}
1399
1400	/// Set the public key.
1401	///
1402	/// This corresponds to [`X509_REQ_set_pubkey`].
1403	///
1404	/// [`X509_REQ_set_pubkey`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_pubkey.html
1405	pub fn set_pubkey<T>(&mut self, key: &PKeyRef<T>) -> Result<(), ErrorStack>
1406	where
1407	T: HasPublic,
1408	{
1409	unsafe { cvt(ffi::X509_REQ_set_pubkey(self.0.as_ptr(), key.as_ptr())).map(\|_\| ()) }
1410	}
1411
1412	/// Return an `X509v3Context`. This context object can be used to construct
1413	/// certain `X509` extensions.
1414	pub fn x509v3_context<'a>(&'a self, conf: Option<&'a ConfRef>) -> X509v3Context<'a> {
1415	unsafe {
1416	let mut ctx = mem::zeroed();
1417
1418	ffi::X509V3_set_ctx(
1419	&mut ctx,
1420	ptr::null_mut(),
1421	ptr::null_mut(),
1422	self.0.as_ptr(),
1423	ptr::null_mut(),
1424	`0`,
1425	);
1426
1427	// nodb case taken care of since we zeroed ctx above
1428	if let Some(conf) = conf {
1429	ffi::X509V3_set_nconf(&mut ctx, conf.as_ptr());
1430	}
1431
1432	X509v3Context(ctx, PhantomData)
1433	}
1434	}
1435
1436	/// Permits any number of extension fields to be added to the certificate.
1437	pub fn add_extensions(
1438	&mut self,
1439	extensions: &StackRef<X509Extension>,
1440	) -> Result<(), ErrorStack> {
1441	unsafe {
1442	cvt(ffi::X509_REQ_add_extensions(
1443	self.0.as_ptr(),
1444	extensions.as_ptr(),
1445	))
1446	.map(\|_\| ())
1447	}
1448	}
1449
1450	/// Sign the request using a private key.
1451	///
1452	/// This corresponds to [`X509_REQ_sign`].
1453	///
1454	/// [`X509_REQ_sign`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_sign.html
1455	pub fn sign<T>(&mut self, key: &PKeyRef<T>, hash: MessageDigest) -> Result<(), ErrorStack>
1456	where
1457	T: HasPrivate,
1458	{
1459	unsafe {
1460	cvt(ffi::X509_REQ_sign(
1461	self.0.as_ptr(),
1462	key.as_ptr(),
1463	hash.as_ptr(),
1464	))
1465	.map(\|_\| ())
1466	}
1467	}
1468
1469	/// Returns the `X509Req`.
1470	pub fn build(self) -> X509Req {
1471	self.0
1472	}
1473	}
1474
1475	foreign_type_and_impl_send_sync! {
1476	type CType = ffi::X509_REQ;
1477	fn drop = ffi::X509_REQ_free;
1478
1479	/// An `X509` certificate request.
1480	pub struct X509Req;
1481	/// Reference to `X509Req`.
1482	pub struct X509ReqRef;
1483	}
1484
1485	impl X509Req {
1486	/// A builder for `X509Req`.
1487	pub fn builder() -> Result<X509ReqBuilder, ErrorStack> {
1488	X509ReqBuilder::new()
1489	}
1490
1491	from_pem! {
1492	/// Deserializes a PEM-encoded PKCS#10 certificate request structure.
1493	///
1494	/// The input should have a header of `-----BEGIN CERTIFICATE REQUEST-----`.
1495	///
1496	/// This corresponds to [`PEM_read_bio_X509_REQ`].
1497	///
1498	/// [`PEM_read_bio_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/PEM_read_bio_X509_REQ.html
1499	from_pem,
1500	X509Req,
1501	ffi::PEM_read_bio_X509_REQ
1502	}
1503
1504	from_der! {
1505	/// Deserializes a DER-encoded PKCS#10 certificate request structure.
1506	///
1507	/// This corresponds to [`d2i_X509_REQ`].
1508	///
1509	/// [`d2i_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/d2i_X509_REQ.html
1510	from_der,
1511	X509Req,
1512	ffi::d2i_X509_REQ
1513	}
1514	}
1515
1516	impl X509ReqRef {
1517	to_pem! {
1518	/// Serializes the certificate request to a PEM-encoded PKCS#10 structure.
1519	///
1520	/// The output will have a header of `-----BEGIN CERTIFICATE REQUEST-----`.
1521	///
1522	/// This corresponds to [`PEM_write_bio_X509_REQ`].
1523	///
1524	/// [`PEM_write_bio_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/PEM_write_bio_X509_REQ.html
1525	to_pem,
1526	ffi::PEM_write_bio_X509_REQ
1527	}
1528
1529	to_der! {
1530	/// Serializes the certificate request to a DER-encoded PKCS#10 structure.
1531	///
1532	/// This corresponds to [`i2d_X509_REQ`].
1533	///
1534	/// [`i2d_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/i2d_X509_REQ.html
1535	to_der,
1536	ffi::i2d_X509_REQ
1537	}
1538
1539	to_pem! {
1540	/// Converts the request to human readable text.
1541	#[corresponds(X509_Req_print)]
1542	to_text,
1543	ffi::X509_REQ_print
1544	}
1545
1546	/// Returns the numerical value of the version field of the certificate request.
1547	///
1548	/// This corresponds to [`X509_REQ_get_version`]
1549	///
1550	/// [`X509_REQ_get_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_version.html
1551	#[allow(clippy::unnecessary_cast)]
1552	pub fn version(&self) -> i32 {
1553	unsafe { X509_REQ_get_version(self.as_ptr()) as i32 }
1554	}
1555
1556	/// Returns the subject name of the certificate request.
1557	///
1558	/// This corresponds to [`X509_REQ_get_subject_name`]
1559	///
1560	/// [`X509_REQ_get_subject_name`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_subject_name.html
1561	pub fn subject_name(&self) -> &X509NameRef {
1562	unsafe {
1563	let name = X509_REQ_get_subject_name(self.as_ptr());
1564	X509NameRef::from_const_ptr_opt(name).expect("subject name must not be null")
1565	}
1566	}
1567
1568	/// Returns the public key of the certificate request.
1569	///
1570	/// This corresponds to [`X509_REQ_get_pubkey"]
1571	///
1572	/// [`X509_REQ_get_pubkey`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_pubkey.html
1573	pub fn public_key(&self) -> Result<PKey<Public>, ErrorStack> {
1574	unsafe {
1575	let key = cvt_p(ffi::X509_REQ_get_pubkey(self.as_ptr()))?;
1576	Ok(PKey::from_ptr(key))
1577	}
1578	}
1579
1580	/// Check if the certificate request is signed using the given public key.
1581	///
1582	/// Returns `true` if verification succeeds.
1583	///
1584	/// This corresponds to [`X509_REQ_verify"].
1585	///
1586	/// [`X509_REQ_verify`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_verify.html
1587	pub fn verify<T>(&self, key: &PKeyRef<T>) -> Result<bool, ErrorStack>
1588	where
1589	T: HasPublic,
1590	{
1591	unsafe { cvt_n(ffi::X509_REQ_verify(self.as_ptr(), key.as_ptr())).map(\|n\| n != `0`) }
1592	}
1593
1594	/// Returns the extensions of the certificate request.
1595	///
1596	/// This corresponds to [`X509_REQ_get_extensions"]
1597	pub fn extensions(&self) -> Result<Stack<X509Extension>, ErrorStack> {
1598	unsafe {
1599	let extensions = cvt_p(ffi::X509_REQ_get_extensions(self.as_ptr()))?;
1600	Ok(Stack::from_ptr(extensions))
1601	}
1602	}
1603	}
1604
1605	/// The reason that a certificate was revoked.
1606	#[derive(Debug, Copy, Clone, PartialEq, Eq)]
1607	pub struct CrlReason(c_int);
1608
1609	#[allow(missing_docs)] // no need to document the constants
1610	impl CrlReason {
1611	pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED);
1612	pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE);
1613	pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE);
1614	pub const AFFILIATION_CHANGED: CrlReason = CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED);
1615	pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED);
1616	pub const CESSATION_OF_OPERATION: CrlReason = CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION);
1617	pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD);
1618	pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL);
1619	pub const PRIVILEGE_WITHDRAWN: CrlReason = CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN);
1620	pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE);
1621
1622	/// Constructs an `CrlReason` from a raw OpenSSL value.
1623	pub const fn from_raw(value: c_int) -> Self {
1624	CrlReason(value)
1625	}
1626
1627	/// Returns the raw OpenSSL value represented by this type.
1628	pub const fn as_raw(&self) -> c_int {
1629	self.0
1630	}
1631	}
1632
1633	foreign_type_and_impl_send_sync! {
1634	type CType = ffi::X509_REVOKED;
1635	fn drop = ffi::X509_REVOKED_free;
1636
1637	/// An `X509` certificate revocation status.
1638	pub struct X509Revoked;
1639	/// Reference to `X509Revoked`.
1640	pub struct X509RevokedRef;
1641	}
1642
1643	impl Stackable for X509Revoked {
1644	type StackType = ffi::stack_st_X509_REVOKED;
1645	}
1646
1647	impl X509Revoked {
1648	from_der! {
1649	/// Deserializes a DER-encoded certificate revocation status
1650	#[corresponds(d2i_X509_REVOKED)]
1651	from_der,
1652	X509Revoked,
1653	ffi::d2i_X509_REVOKED
1654	}
1655	}
1656
1657	impl X509RevokedRef {
1658	to_der! {
1659	/// Serializes the certificate request to a DER-encoded certificate revocation status
1660	#[corresponds(d2i_X509_REVOKED)]
1661	to_der,
1662	ffi::i2d_X509_REVOKED
1663	}
1664
1665	/// Copies the entry to a new `X509Revoked`.
1666	#[corresponds(X509_NAME_dup)]
1667	#[cfg(any(boringssl, ossl110, libressl270))]
1668	pub fn to_owned(&self) -> Result<X509Revoked, ErrorStack> {
1669	unsafe { cvt_p(ffi::X509_REVOKED_dup(self.as_ptr())).map(\|n\| X509Revoked::from_ptr(n)) }
1670	}
1671
1672	/// Get the date that the certificate was revoked
1673	#[corresponds(X509_REVOKED_get0_revocationDate)]
1674	pub fn revocation_date(&self) -> &Asn1TimeRef {
1675	unsafe {
1676	let r = X509_REVOKED_get0_revocationDate(self.as_ptr() as *const _);
1677	assert!(!r.is_null());
1678	Asn1TimeRef::from_ptr(r as *mut _)
1679	}
1680	}
1681
1682	/// Get the serial number of the revoked certificate
1683	#[corresponds(X509_REVOKED_get0_serialNumber)]
1684	pub fn serial_number(&self) -> &Asn1IntegerRef {
1685	unsafe {
1686	let r = X509_REVOKED_get0_serialNumber(self.as_ptr() as *const _);
1687	assert!(!r.is_null());
1688	Asn1IntegerRef::from_ptr(r as *mut _)
1689	}
1690	}
1691
1692	/// Get the criticality and value of an extension.
1693	///
1694	/// This returns None if the extension is not present or occurs multiple times.
1695	#[corresponds(X509_REVOKED_get_ext_d2i)]
1696	pub fn extension<T: ExtensionType>(&self) -> Result<Option<(bool, T::Output)>, ErrorStack> {
1697	let mut critical = `-1`;
1698	let out = unsafe {
1699	// SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED.
1700	let ext = ffi::X509_REVOKED_get_ext_d2i(
1701	self.as_ptr(),
1702	T::NID.as_raw(),
1703	&mut critical as *mut _,
1704	ptr::null_mut(),
1705	);
1706	// SAFETY: Extensions's contract promises that the type returned by
1707	// OpenSSL here is T::Output.
1708	T::Output::from_ptr_opt(ext as *mut _)
1709	};
1710	match (critical, out) {
1711	(`0`, Some(out)) => Ok(Some((`false`, out))),
1712	(`1`, Some(out)) => Ok(Some((`true`, out))),
1713	// -1 means the extension wasn't found, -2 means multiple were found.
1714	(-`1` \| -`2`, _) => Ok(None),
1715	// A critical value of 0 or 1 suggests success, but a null pointer
1716	// was returned so something went wrong.
1717	(`0` \| `1`, None) => Err(ErrorStack::get()),
1718	(c_int::MIN..=-`2` \| `2`.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical),
1719	}
1720	}
1721	}
1722
1723	/// The CRL entry extension identifying the reason for revocation see [`CrlReason`],
1724	/// this is as defined in RFC 5280 Section 5.3.1.
1725	pub enum ReasonCode {}
1726
1727	// SAFETY: CertificateIssuer is defined to be a stack of GeneralName in the RFC
1728	// and in OpenSSL.
1729	unsafe impl ExtensionType for ReasonCode {
1730	const NID: Nid = Nid::from_raw(ffi::NID_crl_reason);
1731
1732	type Output = Asn1Enumerated;
1733	}
1734
1735	/// The CRL entry extension identifying the issuer of a certificate used in
1736	/// indirect CRLs, as defined in RFC 5280 Section 5.3.3.
1737	pub enum CertificateIssuer {}
1738
1739	// SAFETY: CertificateIssuer is defined to be a stack of GeneralName in the RFC
1740	// and in OpenSSL.
1741	unsafe impl ExtensionType for CertificateIssuer {
1742	const NID: Nid = Nid::from_raw(ffi::NID_certificate_issuer);
1743
1744	type Output = Stack<GeneralName>;
1745	}
1746
1747	/// The CRL extension identifying how to access information and services for the issuer of the CRL
1748	pub enum AuthorityInformationAccess {}
1749
1750	// SAFETY: AuthorityInformationAccess is defined to be a stack of AccessDescription in the RFC
1751	// and in OpenSSL.
1752	unsafe impl ExtensionType for AuthorityInformationAccess {
1753	const NID: Nid = Nid::from_raw(ffi::NID_info_access);
1754
1755	type Output = Stack<AccessDescription>;
1756	}
1757
1758	foreign_type_and_impl_send_sync! {
1759	type CType = ffi::X509_CRL;
1760	fn drop = ffi::X509_CRL_free;
1761
1762	/// An `X509` certificate revocation list.
1763	pub struct X509Crl;
1764	/// Reference to `X509Crl`.
1765	pub struct X509CrlRef;
1766	}
1767
1768	/// The status of a certificate in a revoction list
1769	///
1770	/// Corresponds to the return value from the [`X509_CRL_get0_by_`] methods.*
1771	///
1772	/// [`X509_CRL_get0_by_`]: https://www.openssl.org/docs/man1.1.0/man3/X509_CRL_get0_by_serial.html*
1773	pub enum CrlStatus<'a> {
1774	/// The certificate is not present in the list
1775	NotRevoked,
1776	/// The certificate is in the list and is revoked
1777	Revoked(&'a X509RevokedRef),
1778	/// The certificate is in the list, but has the "removeFromCrl" status.
1779	///
1780	/// This can occur if the certificate was revoked with the "CertificateHold"
1781	/// reason, and has since been unrevoked.
1782	RemoveFromCrl(&'a X509RevokedRef),
1783	}
1784
1785	impl<'a> CrlStatus<'a> {
1786	// Helper used by the X509_CRL_get0_by_ methods to convert their return*
1787	// value to the status enum.
1788	// Safety note: the returned CrlStatus must not outlive the owner of the
1789	// revoked_entry pointer.
1790	unsafe fn from_ffi_status(
1791	status: c_int,
1792	revoked_entry: *mut ffi::X509_REVOKED,
1793	) -> CrlStatus<'a> {
1794	match status {
1795	`0` => CrlStatus::NotRevoked,
1796	`1` => {
1797	assert!(!revoked_entry.is_null());
1798	CrlStatus::Revoked(X509RevokedRef::from_ptr(revoked_entry))
1799	}
1800	`2` => {
1801	assert!(!revoked_entry.is_null());
1802	CrlStatus::RemoveFromCrl(X509RevokedRef::from_ptr(revoked_entry))
1803	}
1804	_ => unreachable!(
1805	"{}",
1806	"X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2."
1807	),
1808	}
1809	}
1810	}
1811
1812	impl X509Crl {
1813	from_pem! {
1814	/// Deserializes a PEM-encoded Certificate Revocation List
1815	///
1816	/// The input should have a header of `-----BEGIN X509 CRL-----`.
1817	#[corresponds(PEM_read_bio_X509_CRL)]
1818	from_pem,
1819	X509Crl,
1820	ffi::PEM_read_bio_X509_CRL
1821	}
1822
1823	from_der! {
1824	/// Deserializes a DER-encoded Certificate Revocation List
1825	#[corresponds(d2i_X509_CRL)]
1826	from_der,
1827	X509Crl,
1828	ffi::d2i_X509_CRL
1829	}
1830	}
1831
1832	impl X509CrlRef {
1833	to_pem! {
1834	/// Serializes the certificate request to a PEM-encoded Certificate Revocation List.
1835	///
1836	/// The output will have a header of `-----BEGIN X509 CRL-----`.
1837	#[corresponds(PEM_write_bio_X509_CRL)]
1838	to_pem,
1839	ffi::PEM_write_bio_X509_CRL
1840	}
1841
1842	to_der! {
1843	/// Serializes the certificate request to a DER-encoded Certificate Revocation List.
1844	#[corresponds(i2d_X509_CRL)]
1845	to_der,
1846	ffi::i2d_X509_CRL
1847	}
1848
1849	/// Get the stack of revocation entries
1850	pub fn get_revoked(&self) -> Option<&StackRef<X509Revoked>> {
1851	unsafe {
1852	let revoked = X509_CRL_get_REVOKED(self.as_ptr());
1853	if revoked.is_null() {
1854	None
1855	} else {
1856	Some(StackRef::from_ptr(revoked))
1857	}
1858	}
1859	}
1860
1861	/// Returns the CRL's `lastUpdate` time.
1862	#[corresponds(X509_CRL_get0_lastUpdate)]
1863	pub fn last_update(&self) -> &Asn1TimeRef {
1864	unsafe {
1865	let date = X509_CRL_get0_lastUpdate(self.as_ptr());
1866	assert!(!date.is_null());
1867	Asn1TimeRef::from_ptr(date as *mut _)
1868	}
1869	}
1870
1871	/// Returns the CRL's `nextUpdate` time.
1872	///
1873	/// If the `nextUpdate` field is missing, returns `None`.
1874	#[corresponds(X509_CRL_get0_nextUpdate)]
1875	pub fn next_update(&self) -> Option<&Asn1TimeRef> {
1876	unsafe {
1877	let date = X509_CRL_get0_nextUpdate(self.as_ptr());
1878	Asn1TimeRef::from_const_ptr_opt(date)
1879	}
1880	}
1881
1882	/// Get the revocation status of a certificate by its serial number
1883	#[corresponds(X509_CRL_get0_by_serial)]
1884	pub fn get_by_serial<'a>(&'a self, serial: &Asn1IntegerRef) -> CrlStatus<'a> {
1885	unsafe {
1886	let mut ret = ptr::null_mut::<ffi::X509_REVOKED>();
1887	let status =
1888	ffi::X509_CRL_get0_by_serial(self.as_ptr(), &mut ret as *mut _, serial.as_ptr());
1889	CrlStatus::from_ffi_status(status, ret)
1890	}
1891	}
1892
1893	/// Get the revocation status of a certificate
1894	#[corresponds(X509_CRL_get0_by_cert)]
1895	pub fn get_by_cert<'a>(&'a self, cert: &X509) -> CrlStatus<'a> {
1896	unsafe {
1897	let mut ret = ptr::null_mut::<ffi::X509_REVOKED>();
1898	let status =
1899	ffi::X509_CRL_get0_by_cert(self.as_ptr(), &mut ret as *mut _, cert.as_ptr());
1900	CrlStatus::from_ffi_status(status, ret)
1901	}
1902	}
1903
1904	/// Get the issuer name from the revocation list.
1905	#[corresponds(X509_CRL_get_issuer)]
1906	pub fn issuer_name(&self) -> &X509NameRef {
1907	unsafe {
1908	let name = X509_CRL_get_issuer(self.as_ptr());
1909	assert!(!name.is_null());
1910	X509NameRef::from_ptr(name)
1911	}
1912	}
1913
1914	/// Check if the CRL is signed using the given public key.
1915	///
1916	/// Only the signature is checked: no other checks (such as certificate chain validity)
1917	/// are performed.
1918	///
1919	/// Returns `true` if verification succeeds.
1920	#[corresponds(X509_CRL_verify)]
1921	pub fn verify<T>(&self, key: &PKeyRef<T>) -> Result<bool, ErrorStack>
1922	where
1923	T: HasPublic,
1924	{
1925	unsafe { cvt_n(ffi::X509_CRL_verify(self.as_ptr(), key.as_ptr())).map(\|n\| n != `0`) }
1926	}
1927
1928	/// Get the criticality and value of an extension.
1929	///
1930	/// This returns None if the extension is not present or occurs multiple times.
1931	#[corresponds(X509_CRL_get_ext_d2i)]
1932	pub fn extension<T: ExtensionType>(&self) -> Result<Option<(bool, T::Output)>, ErrorStack> {
1933	let mut critical = `-1`;
1934	let out = unsafe {
1935	// SAFETY: self.as_ptr() is a valid pointer to an X509_CRL.
1936	let ext = ffi::X509_CRL_get_ext_d2i(
1937	self.as_ptr(),
1938	T::NID.as_raw(),
1939	&mut critical as *mut _,
1940	ptr::null_mut(),
1941	);
1942	// SAFETY: Extensions's contract promises that the type returned by
1943	// OpenSSL here is T::Output.
1944	T::Output::from_ptr_opt(ext as *mut _)
1945	};
1946	match (critical, out) {
1947	(`0`, Some(out)) => Ok(Some((`false`, out))),
1948	(`1`, Some(out)) => Ok(Some((`true`, out))),
1949	// -1 means the extension wasn't found, -2 means multiple were found.
1950	(-`1` \| -`2`, _) => Ok(None),
1951	// A critical value of 0 or 1 suggests success, but a null pointer
1952	// was returned so something went wrong.
1953	(`0` \| `1`, None) => Err(ErrorStack::get()),
1954	(c_int::MIN..=-`2` \| `2`.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical),
1955	}
1956	}
1957	}
1958
1959	/// The result of peer certificate verification.
1960	#[derive(Copy, Clone, PartialEq, Eq)]
1961	pub struct X509VerifyResult(c_int);
1962
1963	impl fmt::Debug for X509VerifyResult {
1964	fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result {
1965	fmt&mut DebugStruct<'_, '_>.debug_struct("X509VerifyResult")
1966	.field("code", &self.0)
1967	.field(name:"error", &self.error_string())
1968	.finish()
1969	}
1970	}
1971
1972	impl fmt::Display for X509VerifyResult {
1973	fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result {
1974	fmt.write_str(self.error_string())
1975	}
1976	}
1977
1978	impl Error for X509VerifyResult {}
1979
1980	impl X509VerifyResult {
1981	/// Creates an `X509VerifyResult` from a raw error number.
1982	///
1983	/// # Safety
1984	///
1985	/// Some methods on `X509VerifyResult` are not thread safe if the error
1986	/// number is invalid.
1987	pub unsafe fn from_raw(err: c_int) -> X509VerifyResult {
1988	X509VerifyResult(err)
1989	}
1990
1991	/// Return the integer representation of an `X509VerifyResult`.
1992	#[allow(clippy::trivially_copy_pass_by_ref)]
1993	pub fn as_raw(&self) -> c_int {
1994	self.0
1995	}
1996
1997	/// Return a human readable error string from the verification error.
1998	///
1999	/// This corresponds to [`X509_verify_cert_error_string`].
2000	///
2001	/// [`X509_verify_cert_error_string`]: https://www.openssl.org/docs/manmaster/crypto/X509_verify_cert_error_string.html
2002	#[allow(clippy::trivially_copy_pass_by_ref)]
2003	pub fn error_string(&self) -> &'static str {
2004	ffi::init();
2005
2006	unsafe {
2007	let s = ffi::X509_verify_cert_error_string(self.0 as c_long);
2008	str::from_utf8(CStr::from_ptr(s).to_bytes()).unwrap()
2009	}
2010	}
2011
2012	/// Successful peer certificate verification.
2013	pub const OK: X509VerifyResult = X509VerifyResult(ffi::X509_V_OK);
2014	/// Application verification failure.
2015	pub const APPLICATION_VERIFICATION: X509VerifyResult =
2016	X509VerifyResult(ffi::X509_V_ERR_APPLICATION_VERIFICATION);
2017	}
2018
2019	foreign_type_and_impl_send_sync! {
2020	type CType = ffi::GENERAL_NAME;
2021	fn drop = ffi::GENERAL_NAME_free;
2022
2023	/// An `X509` certificate alternative names.
2024	pub struct GeneralName;
2025	/// Reference to `GeneralName`.
2026	pub struct GeneralNameRef;
2027	}
2028
2029	impl GeneralName {
2030	unsafe fn new(
2031	type_: c_int,
2032	asn1_type: Asn1Type,
2033	value: &[u8],
2034	) -> Result<GeneralName, ErrorStack> {
2035	ffi::init();
2036	let gn = GeneralName::from_ptr(cvt_p(ffi::GENERAL_NAME_new())?);
2037	(*gn.as_ptr()).type_ = type_;
2038	let s = cvt_p(ffi::ASN1_STRING_type_new(asn1_type.as_raw()))?;
2039	ffi::ASN1_STRING_set(s, value.as_ptr().cast(), value.len().try_into().unwrap());
2040
2041	#[cfg(boringssl)]
2042	{
2043	(*gn.as_ptr()).d.ptr = s.cast();
2044	}
2045	#[cfg(not(boringssl))]
2046	{
2047	(*gn.as_ptr()).d = s.cast();
2048	}
2049
2050	Ok(gn)
2051	}
2052
2053	pub(crate) fn new_email(email: &[u8]) -> Result<GeneralName, ErrorStack> {
2054	unsafe { GeneralName::new(ffi::GEN_EMAIL, Asn1Type::IA5STRING, email) }
2055	}
2056
2057	pub(crate) fn new_dns(dns: &[u8]) -> Result<GeneralName, ErrorStack> {
2058	unsafe { GeneralName::new(ffi::GEN_DNS, Asn1Type::IA5STRING, dns) }
2059	}
2060
2061	pub(crate) fn new_uri(uri: &[u8]) -> Result<GeneralName, ErrorStack> {
2062	unsafe { GeneralName::new(ffi::GEN_URI, Asn1Type::IA5STRING, uri) }
2063	}
2064
2065	pub(crate) fn new_ip(ip: IpAddr) -> Result<GeneralName, ErrorStack> {
2066	match ip {
2067	IpAddr::V4(addr) => unsafe {
2068	GeneralName::new(ffi::GEN_IPADD, Asn1Type::OCTET_STRING, &addr.octets())
2069	},
2070	IpAddr::V6(addr) => unsafe {
2071	GeneralName::new(ffi::GEN_IPADD, Asn1Type::OCTET_STRING, &addr.octets())
2072	},
2073	}
2074	}
2075
2076	pub(crate) fn new_rid(oid: Asn1Object) -> Result<GeneralName, ErrorStack> {
2077	unsafe {
2078	ffi::init();
2079	let gn = cvt_p(ffi::GENERAL_NAME_new())?;
2080	(*gn).type_ = ffi::GEN_RID;
2081
2082	#[cfg(boringssl)]
2083	{
2084	(*gn).d.registeredID = oid.as_ptr();
2085	}
2086	#[cfg(not(boringssl))]
2087	{
2088	(*gn).d = oid.as_ptr().cast();
2089	}
2090
2091	mem::forget(oid);
2092
2093	Ok(GeneralName::from_ptr(gn))
2094	}
2095	}
2096
2097	pub(crate) fn new_other_name(
2098	oid: Asn1Object,
2099	value: &Vec<u8>,
2100	) -> Result<GeneralName, ErrorStack> {
2101	unsafe {
2102	ffi::init();
2103
2104	let typ = cvt_p(ffi::d2i_ASN1_TYPE(
2105	ptr::null_mut(),
2106	&mut value.as_ptr().cast(),
2107	value.len().try_into().unwrap(),
2108	))?;
2109
2110	let gn = cvt_p(ffi::GENERAL_NAME_new())?;
2111	(*gn).type_ = ffi::GEN_OTHERNAME;
2112
2113	if let Err(e) = cvt(ffi::GENERAL_NAME_set0_othername(
2114	gn,
2115	oid.as_ptr().cast(),
2116	typ,
2117	)) {
2118	ffi::GENERAL_NAME_free(gn);
2119	return Err(e);
2120	}
2121
2122	mem::forget(oid);
2123
2124	Ok(GeneralName::from_ptr(gn))
2125	}
2126	}
2127	}
2128
2129	impl GeneralNameRef {
2130	fn ia5_string(&self, ffi_type: c_int) -> Option<&str> {
2131	unsafe {
2132	if (*self.as_ptr()).type_ != ffi_type {
2133	return None;
2134	}
2135
2136	#[cfg(boringssl)]
2137	let d = (*self.as_ptr()).d.ptr;
2138	#[cfg(not(boringssl))]
2139	let d = (*self.as_ptr()).d;
2140
2141	let ptr = ASN1_STRING_get0_data(d as *mut _);
2142	let len = ffi::ASN1_STRING_length(d as *mut _);
2143
2144	#[allow(clippy::unnecessary_cast)]
2145	let slice = slice::from_raw_parts(ptr as *const u8, len as usize);
2146	// IA5Strings are stated to be ASCII (specifically IA5). Hopefully
2147	// OpenSSL checks that when loading a certificate but if not we'll
2148	// use this instead of from_utf8_unchecked just in case.
2149	str::from_utf8(slice).ok()
2150	}
2151	}
2152
2153	/// Returns the contents of this `GeneralName` if it is an `rfc822Name`.
2154	pub fn email(&self) -> Option<&str> {
2155	self.ia5_string(ffi::GEN_EMAIL)
2156	}
2157
2158	/// Returns the contents of this `GeneralName` if it is a `directoryName`.
2159	pub fn directory_name(&self) -> Option<&X509NameRef> {
2160	unsafe {
2161	if (*self.as_ptr()).type_ != ffi::GEN_DIRNAME {
2162	return None;
2163	}
2164
2165	#[cfg(boringssl)]
2166	let d = (*self.as_ptr()).d.ptr;
2167	#[cfg(not(boringssl))]
2168	let d = (*self.as_ptr()).d;
2169
2170	Some(X509NameRef::from_const_ptr(d as *const _))
2171	}
2172	}
2173
2174	/// Returns the contents of this `GeneralName` if it is a `dNSName`.
2175	pub fn dnsname(&self) -> Option<&str> {
2176	self.ia5_string(ffi::GEN_DNS)
2177	}
2178
2179	/// Returns the contents of this `GeneralName` if it is an `uniformResourceIdentifier`.
2180	pub fn uri(&self) -> Option<&str> {
2181	self.ia5_string(ffi::GEN_URI)
2182	}
2183
2184	/// Returns the contents of this `GeneralName` if it is an `iPAddress`.
2185	pub fn ipaddress(&self) -> Option<&[u8]> {
2186	unsafe {
2187	if (*self.as_ptr()).type_ != ffi::GEN_IPADD {
2188	return None;
2189	}
2190	#[cfg(boringssl)]
2191	let d: *const ffi::ASN1_STRING = std::mem::transmute((*self.as_ptr()).d);
2192	#[cfg(not(boringssl))]
2193	let d = (*self.as_ptr()).d;
2194
2195	let ptr = ASN1_STRING_get0_data(d as *mut _);
2196	let len = ffi::ASN1_STRING_length(d as *mut _);
2197
2198	#[allow(clippy::unnecessary_cast)]
2199	Some(slice::from_raw_parts(ptr as *const u8, len as usize))
2200	}
2201	}
2202	}
2203
2204	impl fmt::Debug for GeneralNameRef {
2205	fn fmt(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {
2206	if let Some(email: &str) = self.email() {
2207	formatter.write_str(data:email)
2208	} else if let Some(dnsname: &str) = self.dnsname() {
2209	formatter.write_str(data:dnsname)
2210	} else if let Some(uri: &str) = self.uri() {
2211	formatter.write_str(data:uri)
2212	} else if let Some(ipaddress: &[u8]) = self.ipaddress() {
2213	let address: Result = <[u8; `16`]>::try_from(ipaddress)
2214	.map(IpAddr::from)
2215	.or_else(\|_\| <[u8; `4`]>::try_from(ipaddress).map(op:IpAddr::from));
2216	match address {
2217	Ok(a: IpAddr) => fmt::Debug::fmt(&a, f:formatter),
2218	Err(_) => fmt::Debug::fmt(self:ipaddress, f:formatter),
2219	}
2220	} else {
2221	formatter.write_str(data:"(empty)")
2222	}
2223	}
2224	}
2225
2226	impl Stackable for GeneralName {
2227	type StackType = ffi::stack_st_GENERAL_NAME;
2228	}
2229
2230	foreign_type_and_impl_send_sync! {
2231	type CType = ffi::DIST_POINT;
2232	fn drop = ffi::DIST_POINT_free;
2233
2234	/// A `X509` distribution point.
2235	pub struct DistPoint;
2236	/// Reference to `DistPoint`.
2237	pub struct DistPointRef;
2238	}
2239
2240	impl DistPointRef {
2241	/// Returns the name of this distribution point if it exists
2242	pub fn distpoint(&self) -> Option<&DistPointNameRef> {
2243	unsafe { DistPointNameRef::from_const_ptr_opt((*self.as_ptr()).distpoint) }
2244	}
2245	}
2246
2247	foreign_type_and_impl_send_sync! {
2248	type CType = ffi::DIST_POINT_NAME;
2249	fn drop = ffi::DIST_POINT_NAME_free;
2250
2251	/// A `X509` distribution point.
2252	pub struct DistPointName;
2253	/// Reference to `DistPointName`.
2254	pub struct DistPointNameRef;
2255	}
2256
2257	impl DistPointNameRef {
2258	/// Returns the contents of this DistPointName if it is a fullname.
2259	pub fn fullname(&self) -> Option<&StackRef<GeneralName>> {
2260	unsafe {
2261	if (*self.as_ptr()).type_ != `0` {
2262	return None;
2263	}
2264	StackRef::from_const_ptr_opt((*self.as_ptr()).name.fullname)
2265	}
2266	}
2267	}
2268
2269	impl Stackable for DistPoint {
2270	type StackType = ffi::stack_st_DIST_POINT;
2271	}
2272
2273	foreign_type_and_impl_send_sync! {
2274	type CType = ffi::ACCESS_DESCRIPTION;
2275	fn drop = ffi::ACCESS_DESCRIPTION_free;
2276
2277	/// `AccessDescription` of certificate authority information.
2278	pub struct AccessDescription;
2279	/// Reference to `AccessDescription`.
2280	pub struct AccessDescriptionRef;
2281	}
2282
2283	impl AccessDescriptionRef {
2284	/// Returns the access method OID.
2285	pub fn method(&self) -> &Asn1ObjectRef {
2286	unsafe { Asn1ObjectRef::from_ptr((*self.as_ptr()).method) }
2287	}
2288
2289	// Returns the access location.
2290	pub fn location(&self) -> &GeneralNameRef {
2291	unsafe { GeneralNameRef::from_ptr((*self.as_ptr()).location) }
2292	}
2293	}
2294
2295	impl Stackable for AccessDescription {
2296	type StackType = ffi::stack_st_ACCESS_DESCRIPTION;
2297	}
2298
2299	foreign_type_and_impl_send_sync! {
2300	type CType = ffi::X509_ALGOR;
2301	fn drop = ffi::X509_ALGOR_free;
2302
2303	/// An `X509` certificate signature algorithm.
2304	pub struct X509Algorithm;
2305	/// Reference to `X509Algorithm`.
2306	pub struct X509AlgorithmRef;
2307	}
2308
2309	impl X509AlgorithmRef {
2310	/// Returns the ASN.1 OID of this algorithm.
2311	pub fn object(&self) -> &Asn1ObjectRef {
2312	unsafe {
2313	let mut oid: *const ASN1_OBJECT = ptr::null();
2314	X509_ALGOR_get0(&mut oid, pptype:ptr::null_mut(), ppval:ptr::null_mut(), self.as_ptr());
2315	Asn1ObjectRef::from_const_ptr_opt(oid).expect(msg:"algorithm oid must not be null")
2316	}
2317	}
2318	}
2319
2320	foreign_type_and_impl_send_sync! {
2321	type CType = ffi::X509_OBJECT;
2322	fn drop = X509_OBJECT_free;
2323
2324	/// An `X509` or an X509 certificate revocation list.
2325	pub struct X509Object;
2326	/// Reference to `X509Object`
2327	pub struct X509ObjectRef;
2328	}
2329
2330	impl X509ObjectRef {
2331	pub fn x509(&self) -> Option<&X509Ref> {
2332	unsafe {
2333	let ptr: *mut X509 = X509_OBJECT_get0_X509(self.as_ptr());
2334	X509Ref::from_const_ptr_opt(ptr)
2335	}
2336	}
2337	}
2338
2339	impl Stackable for X509Object {
2340	type StackType = ffi::stack_st_X509_OBJECT;
2341	}
2342
2343	cfg_if! {
2344	if #[cfg(any(boringssl, ossl110, libressl273))] {
2345	use ffi::{X509_getm_notAfter, X509_getm_notBefore, X509_up_ref, X509_get0_signature};
2346	} else {
2347	#[allow(bad_style)]
2348	unsafe fn X509_getm_notAfter(x: *mut ffi::X509) -> *mut ffi::ASN1_TIME {
2349	(((*x).cert_info).validity).notAfter
2350	}
2351
2352	#[allow(bad_style)]
2353	unsafe fn X509_getm_notBefore(x: *mut ffi::X509) -> *mut ffi::ASN1_TIME {
2354	(((*x).cert_info).validity).notBefore
2355	}
2356
2357	#[allow(bad_style)]
2358	unsafe fn X509_up_ref(x: *mut ffi::X509) {
2359	ffi::CRYPTO_add_lock(
2360	&mut (*x).references,
2361	`1`,
2362	ffi::CRYPTO_LOCK_X509,
2363	"mod.rs`\0`".as_ptr() as *const _,
2364	line!() as c_int,
2365	);
2366	}
2367
2368	#[allow(bad_style)]
2369	unsafe fn X509_get0_signature(
2370	psig: *mut *const ffi::ASN1_BIT_STRING,
2371	palg: *mut *const ffi::X509_ALGOR,
2372	x: *const ffi::X509,
2373	) {
2374	if !psig.is_null() {
2375	psig = (x).signature;
2376	}
2377	if !palg.is_null() {
2378	palg = (x).sig_alg;
2379	}
2380	}
2381	}
2382	}
2383
2384	cfg_if! {
2385	if #[cfg(any(boringssl, ossl110, libressl350))] {
2386	use ffi::{
2387	X509_ALGOR_get0, ASN1_STRING_get0_data, X509_STORE_CTX_get0_chain, X509_set1_notAfter,
2388	X509_set1_notBefore, X509_REQ_get_version, X509_REQ_get_subject_name,
2389	};
2390	} else {
2391	use ffi::{
2392	ASN1_STRING_data as ASN1_STRING_get0_data,
2393	X509_STORE_CTX_get_chain as X509_STORE_CTX_get0_chain,
2394	X509_set_notAfter as X509_set1_notAfter,
2395	X509_set_notBefore as X509_set1_notBefore,
2396	};
2397
2398	#[allow(bad_style)]
2399	unsafe fn X509_REQ_get_version(x: *mut ffi::X509_REQ) -> ::libc::c_long {
2400	ffi::ASN1_INTEGER_get(((x).req_info).version)
2401	}
2402
2403	#[allow(bad_style)]
2404	unsafe fn X509_REQ_get_subject_name(x: *mut ffi::X509_REQ) -> *mut ::ffi::X509_NAME {
2405	((x).req_info).subject
2406	}
2407
2408	#[allow(bad_style)]
2409	unsafe fn X509_ALGOR_get0(
2410	paobj: *mut *const ffi::ASN1_OBJECT,
2411	pptype: *mut c_int,
2412	pval: *mut *mut ::libc::c_void,
2413	alg: *const ffi::X509_ALGOR,
2414	) {
2415	if !paobj.is_null() {
2416	paobj = (alg).algorithm;
2417	}
2418	assert!(pptype.is_null());
2419	assert!(pval.is_null());
2420	}
2421	}
2422	}
2423
2424	cfg_if! {
2425	if #[cfg(any(ossl110, boringssl, libressl270))] {
2426	use ffi::X509_OBJECT_get0_X509;
2427	} else {
2428	#[allow(bad_style)]
2429	unsafe fn X509_OBJECT_get0_X509(x: *mut ffi::X509_OBJECT) -> *mut ffi::X509 {
2430	if (*x).type_ == ffi::X509_LU_X509 {
2431	(*x).data.x509
2432	} else {
2433	ptr::null_mut()
2434	}
2435	}
2436	}
2437	}
2438
2439	cfg_if! {
2440	if #[cfg(any(ossl110, libressl350, boringssl))] {
2441	use ffi::X509_OBJECT_free;
2442	} else {
2443	#[allow(bad_style)]
2444	unsafe fn X509_OBJECT_free(x: *mut ffi::X509_OBJECT) {
2445	ffi::X509_OBJECT_free_contents(x);
2446	ffi::CRYPTO_free(x as *mut libc::c_void);
2447	}
2448	}
2449	}
2450
2451	cfg_if! {
2452	if #[cfg(any(ossl110, libressl350, boringssl))] {
2453	use ffi::{
2454	X509_CRL_get_issuer, X509_CRL_get0_nextUpdate, X509_CRL_get0_lastUpdate,
2455	X509_CRL_get_REVOKED,
2456	X509_REVOKED_get0_revocationDate, X509_REVOKED_get0_serialNumber,
2457	};
2458	} else {
2459	#[allow(bad_style)]
2460	unsafe fn X509_CRL_get0_lastUpdate(x: *const ffi::X509_CRL) -> *mut ffi::ASN1_TIME {
2461	((x).crl).lastUpdate
2462	}
2463	#[allow(bad_style)]
2464	unsafe fn X509_CRL_get0_nextUpdate(x: *const ffi::X509_CRL) -> *mut ffi::ASN1_TIME {
2465	((x).crl).nextUpdate
2466	}
2467	#[allow(bad_style)]
2468	unsafe fn X509_CRL_get_issuer(x: *const ffi::X509_CRL) -> *mut ffi::X509_NAME {
2469	((x).crl).issuer
2470	}
2471	#[allow(bad_style)]
2472	unsafe fn X509_CRL_get_REVOKED(x: *const ffi::X509_CRL) -> *mut ffi::stack_st_X509_REVOKED {
2473	((x).crl).revoked
2474	}
2475	#[allow(bad_style)]
2476	unsafe fn X509_REVOKED_get0_serialNumber(x: *const ffi::X509_REVOKED) -> *mut ffi::ASN1_INTEGER {
2477	(*x).serialNumber
2478	}
2479	#[allow(bad_style)]
2480	unsafe fn X509_REVOKED_get0_revocationDate(x: *const ffi::X509_REVOKED) -> *mut ffi::ASN1_TIME {
2481	(*x).revocationDate
2482	}
2483	}
2484	}
2485
2486	#[derive(Copy, Clone, PartialEq, Eq)]
2487	pub struct X509PurposeId(c_int);
2488
2489	impl X509PurposeId {
2490	pub const SSL_CLIENT: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SSL_CLIENT);
2491	pub const SSL_SERVER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SSL_SERVER);
2492	pub const NS_SSL_SERVER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_NS_SSL_SERVER);
2493	pub const SMIME_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SMIME_SIGN);
2494	pub const SMIME_ENCRYPT: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SMIME_ENCRYPT);
2495	pub const CRL_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_CRL_SIGN);
2496	pub const ANY: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_ANY);
2497	pub const OCSP_HELPER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_OCSP_HELPER);
2498	pub const TIMESTAMP_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_TIMESTAMP_SIGN);
2499	#[cfg(ossl320)]
2500	pub const CODE_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_CODE_SIGN);
2501
2502	/// Constructs an `X509PurposeId` from a raw OpenSSL value.
2503	pub fn from_raw(id: c_int) -> Self {
2504	X509PurposeId(id)
2505	}
2506
2507	/// Returns the raw OpenSSL value represented by this type.
2508	pub fn as_raw(&self) -> c_int {
2509	self.0
2510	}
2511	}
2512
2513	/// A reference to an [`X509_PURPOSE`].
2514	pub struct X509PurposeRef(Opaque);
2515
2516	/// Implements a wrapper type for the static `X509_PURPOSE` table in OpenSSL.
2517	impl ForeignTypeRef for X509PurposeRef {
2518	type CType = ffi::X509_PURPOSE;
2519	}
2520
2521	impl X509PurposeRef {
2522	/// Get the internal table index of an X509_PURPOSE for a given short name. Valid short
2523	/// names include
2524	/// - "sslclient",
2525	/// - "sslserver",
2526	/// - "nssslserver",
2527	/// - "smimesign",
2528	/// - "smimeencrypt",
2529	/// - "crlsign",
2530	/// - "any",
2531	/// - "ocsphelper",
2532	/// - "timestampsign"
2533	/// The index can be used with `X509PurposeRef::from_idx()` to get the purpose.
2534	#[allow(clippy::unnecessary_cast)]
2535	pub fn get_by_sname(sname: &str) -> Result<c_int, ErrorStack> {
2536	unsafe {
2537	let sname = CString::new(sname).unwrap();
2538	cfg_if! {
2539	if #[cfg(any(ossl110, libressl280, boringssl))] {
2540	let purpose = cvt_n(ffi::X509_PURPOSE_get_by_sname(sname.as_ptr() as *const _))?;
2541	} else {
2542	let purpose = cvt_n(ffi::X509_PURPOSE_get_by_sname(sname.as_ptr() as *mut _))?;
2543	}
2544	}
2545	Ok(purpose)
2546	}
2547	}
2548	/// Get an `X509PurposeRef` for a given index value. The index can be obtained from e.g.
2549	/// `X509PurposeRef::get_by_sname()`.
2550	#[corresponds(X509_PURPOSE_get0)]
2551	pub fn from_idx(idx: c_int) -> Result<&'static X509PurposeRef, ErrorStack> {
2552	unsafe {
2553	let ptr = cvt_p_const(ffi::X509_PURPOSE_get0(idx))?;
2554	Ok(X509PurposeRef::from_const_ptr(ptr))
2555	}
2556	}
2557
2558	/// Get the purpose value from an X509Purpose structure. This value is one of
2559	/// - `X509_PURPOSE_SSL_CLIENT`
2560	/// - `X509_PURPOSE_SSL_SERVER`
2561	/// - `X509_PURPOSE_NS_SSL_SERVER`
2562	/// - `X509_PURPOSE_SMIME_SIGN`
2563	/// - `X509_PURPOSE_SMIME_ENCRYPT`
2564	/// - `X509_PURPOSE_CRL_SIGN`
2565	/// - `X509_PURPOSE_ANY`
2566	/// - `X509_PURPOSE_OCSP_HELPER`
2567	/// - `X509_PURPOSE_TIMESTAMP_SIGN`
2568	pub fn purpose(&self) -> X509PurposeId {
2569	unsafe {
2570	cfg_if! {
2571	if #[cfg(any(ossl110, libressl280, boringssl))] {
2572	let x509_purpose = self.as_ptr() as *const ffi::X509_PURPOSE;
2573	} else {
2574	let x509_purpose = self.as_ptr() as *mut ffi::X509_PURPOSE;
2575	}
2576	}
2577	X509PurposeId::from_raw(ffi::X509_PURPOSE_get_id(x509_purpose))
2578	}
2579	}
2580	}
2581